back to article Millennials, Gen Z actually suck at workplace security

It's just as you suspected: your Gen Z and millennial coworkers just aren't taking cybersecurity at work seriously enough.  Professional services firm EY made that determination after speaking to 1,000 US workers whose current job requires the use of a work-issued laptop/computer a majority of the time. While 83 percent of …

  1. pimppetgaeghsr

    It's not that we are bad, it's that we just don't care anymore.

    I'd love to see how much worse these phishing email clicks get when an entire generation gets 2% raises next year on the backdrop of 20+% inflation in food and bills.

    1. Anonymous Coward
      Anonymous Coward

      Company doesn't pay livable salary, peons don't give a f**k. That's the reality.

      Too bad: They created that all by themselves, it's too late to whine about it.

      1. veti Silver badge

        Who, exactly, is "they"?

        1. Joe W Silver badge

          Well, They, they are not Us. If They were, then I would be ono of Them....

          1. Anonymous Coward
            Anonymous Coward

            I'd say we as society have completely and utterly failed or are in the process of failing. Everybody plays a part in it, however small or big.

  2. Anonymous Coward
    Anonymous Coward

    Bunch of whiners.

    "disregard mandatory IT updates for as long as possible"

    Yes, as they *know* that "update" is a downgrade in everything: Actually useful features, usability and outlook. And introduces bunch of new bugs without repairing old ones. No-one sane installs those.

    Funny how YT totally wipes reality off the board and whines about one minor aspect (to the user) of the whole.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bunch of whiners.

      > Yes, as they *know* that "update" is a downgrade in everything:

      Ha, reminds me of a highly amusing (for me) argument with a MS support person.

      This doesn't work on W10 does it

      Errrr no

      But it does on W7

      Errrr

      So can I have an upgrade from W10 to W7

      Errrr that not an upgrade Sir, that's a downgrade

      How can moving from it doesn't work to it does work be considered as a downgrade and not an upgrade. The system is down as it is, it can't go down any further, the only way from here is up

      Errrrrrr it's still a downgrade... IErrrrrrrr ... 'll send you the kit

    2. Dave K

      Re: Bunch of whiners.

      Its also because of increasing update fatigue. You're in the middle of working and are focussed, but then Office needs to install updates. No sooner than that is done, Windows needs to install updates and reboot. After this, Adobe Reader needs to install some updates. Finally you're working and focussed again, but no - Windows needs to install more updates. Its just an HP keyboard driver this time, but it is yet another disrupting reboot.

      You pull your phone out to check it whilst Windows rebooted, "updates are available".

      Hardly a surprise that more and more people just reach for the "sod off as long as possible" button. Updates are relentless, disruptive and rarely bring anything visibly useful (I know, Security and all that, but this isn't end-user facing). The whole concept and mechanism of updates needs rethinking to make it as quick and seamless as possible.

      As for passwords, how many companies supply staff with a decent password manager? If you want staff to use strong and unique passwords, supply a password manager.

      1. Joe W Silver badge

        Re: Bunch of whiners.

        Yes. On a sane operating system you can update a ton of stuff (even in the background, if you configure it that way), and it will not tell you to close programs (firefox will tell you to "reload", though), and stuff just keeps working. No need to reboot just now. At least we no longer have to reboot Windows when we change a network setting. That sucked almightily. I run Debian / Devuan Stable on my own machines. I know that any update is security related. I install them as soon as possible. If I would run a faster changing OS, then I would be more careful - it will be new software versions now and then, and these might break my workflow (in fact they have, but that was Debian unstable, about ten, maybe 15 years ago, and I was fully aware of living on the edge).

        Plus the implementation of how software is rolled out to users' machines matters. There are some software distribution programs that tell you to close this program because that one needs to be updated. Sucks. Big time.

      2. ThatOne Silver badge

        Re: Bunch of whiners.

        > Its also because of increasing update fatigue

        It's also (IMHO mostly) because of the absolutely brain dead way Windows handles updates.

        I've shortly used Win11, after many years of using Linux, and was appalled: About all kinds of update seem to require a (very) slow reboot, and they come sequentially instead of all at the same time. It's annoying and a waste of time even on a brand new high-end computer with fast SSDs, I can only guess what it must be like on older hardware with spinning rust HDs. "Nightmarish" comes to mind.

        On Linux the only thing requiring a reboot seems to be a kernel upgrade (and even that only requires you reboot eventually, when it suits you, like for instance when you've finished using the computer for the day).

        1. Michael Wojcik Silver badge

          Re: Bunch of whiners.

          And for application updates, MSI is astonishingly slow. (The same applies to VSIX and other MS installers.) I can't figure out how Microsoft managed to create an installer technology that can take close to an hour to remove one version of a product and install another. I can create a VM and install an entire Linux distribution in the time it takes some Windows products to install a new version.

      3. Captain Scarlet
        Coat

        Re: Bunch of whiners.

        Have you ever tried to train anyone to use KeePass, it is a true eye opener!

        1. Dave K

          Re: Bunch of whiners.

          That's because as powerful as KeePass is, it isn't very user friendly for less IT-literate people. Loading/saving databases, adding entries to a database via an obscure icon, making sure that the entry name matches the website title so that auto-type works, remembering the auto-type keyboard combination are all fine for a power-user, but not user-friendly for the masses, unless you roll out addons for it that add browser extensions or something.

          There are more user-friendly ones though - especially with a good browser extension. I use StickyPassword at home. If I have to register for a site, it automatically offers to generate a strong password and saves it to its database without me having to do anything other than click "OK". When I visit that website again, I don't have to click anything - it just logs in for me in a seamless manner. I'm sure many others work just as seamlessly also.

          1. Captain Scarlet

            Re: Bunch of whiners.

            We have to use what the big corp states, then again I would never use a browser extension for a password manager anyway.

          2. FlamingDeath Silver badge

            Re: Bunch of whiners.

            "KeePass isn't very user friendly for less IT-literate people"

            How computer illiterate are these users you speak of?

            I know technical ability is lacking in a lot of the population, but if they cannot even fathom a fucking GUI which has a manual (if they bothered to read it), what hope is there of them being able to even do the job involving a computer, for which they are employed!!!

      4. Terry 6 Silver badge

        Re: Bunch of whiners.

        Updates, maybe. But mostly I'd say impatience. It's a work machine. .They're working. A dialogue about cookies appears with the choice of "Accept" or "Go though a long winded routine of turning stuff off". They choose accept. And get on with working on the boss's machine. It's not their problem anymore once they've clicked.

      5. FlamingDeath Silver badge

        Re: Bunch of whiners.

        The company I recently started working for actually does provide a password manager, but nobody uses it. They (the ignorant staff, and there are many) opt instead to store their passwords in notepad and leave it on-screen while being sat next to the ground floor window, oh and BTW, this company claims to be ISO 27001 accredited. I call BS, none of them lock their desktops when AFK, they have a really bad PSK for their IPSEC tunnels, not as bad as qwerty123 but its bad

        I suspect the company went through the motions to achieve ISO 27001, ticking boxes etc, to clinch a deal which required this. Now the deal is clinched, they can go back to their same awful bad practices.

      6. MachDiamond Silver badge

        Re: Bunch of whiners.

        "You're in the middle of working and are focussed, but then Office needs to install updates."

        The problem is your boss is expecting you to complete something and email them a copy or you promised a customer that you'd have the quote by the end of the day and you know that if you do the update, a whole S-ton of changes will have been made to the UI and it's going to take a couple of weeks to learn the new icons. You also hope they haven't deprecated the features you have grown to rely on or are part of macros that you use all of the time and will have to rework to get something like them working again. Most updates are crap to begin with. Some applications are at the pinnacle of what they are needed for to start with. All they might need is some clean up under the hood so it boots and runs faster. At the most, adding some import/export options might be useful and that's it. MS Word is massive bloatware. I find it much easier to do text stuff in a simple program just because the most used functions are in one toolbar. Excel is a horrible dog when it comes to big data sets that I'm using Igor instead. OS's are the same way. I'd be over the moon if they didn't change anything I can see, touch or taste, but worked on getting the footprint down and processes running much faster with nothing calling Google API's.

  3. chivo243 Silver badge
    Meh

    Meh

    From personal experience, boomers to what ever is the current name of the generation, I think the same percentage of users are from the risk groups: Don't care at all, Don't know how to start the computer, Don't ask for help... no matter the generation, each one has people in the above categories.

    1. Yet Another Anonymous coward Silver badge

      Re: Meh

      Possibly a difference between some of us whose first meeting with a computer was a terminal at university with a username and a password and permissions and a big scary BOFH. And the younglings who have been used to clicking OK on their phones to get the new shiny since they were toddlers.

      Now get off my virtual lawn you whippersnappers.

      1. chivo243 Silver badge
        Windows

        Re: Meh

        Yes, forgot to wag my fist and say get of my *tumbleweeds* what was I saying again? In any case stay off my lawn!!

      2. Anonymous Coward
        Anonymous Coward

        Re: Meh

        > and a big scary BOFH

        And they really were scary they were and they were called Doug. I mean they'd use sarcasm

        Interviewer Doug?

        Vercotti Doug I was terrified of him. Everyone was terrified of Doug. I've seen grown men pull their own heads off rather than see Doug. Even Dinsdale was frightened of Doug.

        Interviewer What did he do?

        Vercotti He used sarcasm. He knew all the tricks, dramatic irony, metaphor, bathos, puns, parody, litotes and satire.

        1. that one in the corner Silver badge

          Re: Meh

          Yeah, I'd rather be taken for a scrape round to Dinsdale's place and have my head nailed to a coffee table.

      3. doublelayer Silver badge

        Re: Meh

        I think that experience helps a lot, but don't pretend that everyone in your generation got that. You got that. Many others came to computers later on when they were not shared and there was no scary BOFH to notice when they did their first stupid thing. You'd think that using these machines for decades would have helped, but you'd think using them all the time would as well and that doesn't either. Only learning about them helps, and many people never bothered taking that step.

      4. SundogUK Silver badge

        Re: Meh

        Older users are also more likely to have had to deal with the downside of ignoring security requirements.

      5. Munchausen's proxy
        Pint

        Re: Meh

        "Possibly a difference between some of us whose first meeting with a computer was a terminal at university"

        Terminal?

        029 (when you weren't stuck with an 026)

      6. Ken Hagan Gold badge

        Re: Meh

        Possibly also a difference between those for whom the P in PC actually did mean "personal", as opposed to the generation who have never used a device that wasn't basically controlled by someone else. (Microsoft, Google, Apple, Meta, ...)

    2. Terry 6 Silver badge

      Re: Meh

      I'd hazard a guess that the younger ones are just more prepared to admit to it. (I'm old and cynical)

      1. Michael Wojcik Silver badge

        Re: Meh

        Always a problem with self-reporting – it's very difficult or impossible to control for factors that significantly affect the quality of the reporting itself.

        I do think, though, that there's no reason (empirical or theoretical) to believe "digital natives" are more likely to have a security mindset toward IT. And there are some reasons – vigilance fatigue, for example – to believe the converse.

    3. SundogUK Silver badge

      Re: Meh

      The article very explicitly shows your personal experience is not universal.

  4. Will Godfrey Silver badge
    Unhappy

    Not surprising

    When so many companies come out with the stock "We care about your security" when it's plainly obvious they don't.

    Also how about doing that survey here in the UK? Might give quite different results.

  5. Anonymous Coward
    Anonymous Coward

    "something only 15 percent of boomers and 31 percent of Gen X admitted to"

    So... 85% of Boomers don't actually know enough about a computer to realize they are lying as well, and the Gen-Xers that aren't lying themselves are currently employed in IT and trying to get the rest of the company to get their shit together?

    (OK let's face it, there are still some Gen-Xers that are BOTH liars about their password and security habits and also work in IT)

    1. Yet Another Anonymous coward Silver badge

      Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

      My home system doesn't require me to change the password every 90days, so I don't need to use Password1,2,3 etc like i do at work

      1. Yet Another Anonymous coward Silver badge

        Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

        Obviously I don't really use "Password" you have to use P@ssw0rd like the leet haxorz

        1. Joe W Silver badge
          Pint

          Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

          H4X0R$ you mean?

          1. Yet Another Anonymous coward Silver badge

            Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

            I am informed by the passing millennial gen-z toddler that it is spelt "L33T"

            1. Mike 16

              Re: "LEET"?

              How the heck do you get a smart(ass) phone to _not_ rotate the screen image, and thus allow the "discovery" of what those digits really are?

              1. Flip

                Re: "LEET"?

                I thought it was spelled 1337 (then turned upside down).

                1. jake Silver badge

                  Re: "LEET"?

                  Don't be silly. That only works when you ROT26 it, as any fule no.

                  1. Tim99 Silver badge

                    Re: "LEET"?

                    Don't you need to ROT26 it twice?

                    1. jake Silver badge

                      Re: "LEET"?

                      At least.

      2. Mike007 Bronze badge

        Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

        Had a user who when asked their password so we could log in to their account gave Password3. Next time I needed to log in they had changed it, told me it was Password4. A while later we needed to log in to a random user to test something and I suggested trying Password5. It worked.

        Jump forward a few months. A users account has been compromised and used to send phishing emails to clients. Guess which user.

        In my defence, I did flag it up and in fact gave that user as an example when arguing against forced password changes.

        1. Robin

          Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

          If companies got rid of the requirements for upper case, lower case, numbers, special characters blablabla and just made users type in longer phrases that are more easily remembered, then the ...1,2,3 stuff wouldn't even happen.

          1. Michael Wojcik Silver badge

            Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

            Yes. The problem is that OSes like Windows have simple password-complexity switches that admins can turn on, but not decent passphrase-entropy estimators that are similarly easy to enable. And there's no option in Group Policy for "multiple character sets OR at least N characters".

            OS manufacturers (Microsoft and Apple in particular) and other big players (notably Google and Amazon, for AWS) decided passphrases weren't interesting, and jumped on the TOTP and/or biometrics 2FA bandwagon instead, conveniently ignoring the failure modes of TOTP devices and biometrics.

          2. John Brown (no body) Silver badge
            Joke

            Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

            "type in longer phrases that are more easily remembered, then the ...1,2,3 stuff wouldn't even happen."

            Until the number of users being locked out rises due to typos. Have you seen the state of some peoples spelling these days? They can't survive without auto-correct and predictive text :-)

            1. jake Silver badge

              Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

              "They can't survive without auto-correct and predictive text"

              From what I've seen, most of the people who rely on such things can't survive WITH it.

              1. John Brown (no body) Silver badge
                Thumb Up

                Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

                True. All the words are spelled correctly. It's just not always the words they intended to use :-)

                1. jake Silver badge

                  Re: "something only 15 percent of boomers and 31 percent of Gen X admitted to"

                  "All the words are spelled correctly."

                  Pace British English/American English (etc.) tomfoolery. But we should probably leave that discussion in the other thread, where it belongs.

                  For small values of belongs ...

  6. karlkarl Silver badge

    I think my "generation" (~1987) is more savvy when it comes to the basic threats from email attachments and and things like that.

    However they do open themselves to attack from all the many online services that they flippantly use which older generations don't. Similarly with phone apps. These tend to hit my generation more because they seem to love them.

    So really I think it is education, there will be pros and cons, strengths and flaws in each generation as we use computers differently.

  7. Anonymous Coward
    Anonymous Coward

    It would help

    if we stopped making this so difficult for people.

    Passwords need to go, their are no excuses, just businesses giving in to inertia. SSO and passkeys, if they were a few clicks for the admins to implement would bury a big chunk of this. Also, providing a decent password vault for your employees wouldn't hurt. I doesn't help that on both Macs and Windows boxes the password infrastructure is stuck in the 90's, and since so many systems try to pull from AD if you set password expiration, users inevitably get blocked trying to log into a system that can't successfully update their password. Bonus points for confused Mac users resetting their password on the windows/AD side and losing their keychain.

    And then there is the patching issue. Windows patching is a crime against humanity at this point, and Apple has been nearly as bad with OSX updates. Both have been moving two steps forwards and 1.5 steps back since the Win 7/Leopard era. Installing updates is slow, needs admin rights, dumps unsaved work, and in many cases the user will lose all their open windows. The OS will nag them incessantly, but your choice as an admin is "Force install and reboot regardless of the howls" or to individually chase users down and pry the computer out of their hands to make them run the updates. Nagging pisses them off, and the prompts don't guide users through doing it properly, or in many cases make it easy for users without admin rights to request the updates be applied other then calling, opening a ticket or showing up at the IT office doorstep holding their laptop like a caricature of a pauper in some old Dickens novel.

    "Please sir, may I have my system updates? It's been nagging something fierce, but when I hits OK it the progress bar stops after 25 min and she just says install failed! Try again?"

  8. Someone Else Silver badge

    They'll learn...

    The young-uns will learn in time, once they have their credit broken, their bank accounts drained and/or their jobs lost as a result of their blithely arrogantly cavalier attitudes about cybersecurity. After all, one can't be arsed to give a flying fuck about cybersecurity in one's lemming-like1 chase for the latest shiny.

    Won't somebody think of the FOMO?

    1OK, I know the lemming thing was faked, and real lemmings don't do that...do they?

  9. Dan 55 Silver badge
    Meh

    Easy one this

    People who put off restarting to install updates don't have time to close down each program, wait for Windows to update, restart, wait for Windows to update some more, log in, and open all their programs again because they have actual real work to do. They're usually younger employees as opposed to older managers.

    1. Will Godfrey Silver badge
      Linux

      Re: Easy one this

      Whatfor this "Win-dohs" of which thou speakest :P

  10. Jan 0 Silver badge

    Meanwhile,

    us old bulge babies just wish these new gizmos could plot our old punched tape porn archives. Modern generations just don't understand.

    1. that one in the corner Silver badge

      Re: Meanwhile,

      Preferred the punched card porn: tape is softer but the cards, ah, you could really feel them properly, running your fingertips over the chads.

      Hmm, the copy of ELIZA tucked away with a few lace cards on top.

  11. Norman Nescio Silver badge

    nearly a half of Gen Z and millennials were "likely to accept web browser cookies on their work-issued devices all the time or often,"

    Hmm. Couldn't rejecting all cookies be set by a work group policy? Which would make browsing 'interesting' given how many sites insist on setting 'necessary' cookies to allow basic functionality. The Google search page attempts to set six. Of course, I block most with uMatrix and automatically delete unnecessary ones on closing the tab, but I'm too old to be cavalier about cookie use.

    And while cookies are used for tracking purposes, I'd have thought that indiscriminate acceptance of javascript to be a greater security threat. Perhaps I'm out of date. One side effect about being reasonably parsimonious about which scripts I allow means that, unfortunately, I get to see very few adverts. Perhaps they are important, and I am missing out?

    1. Mike 137 Silver badge

      Perhaps I'm out of date

      "I'd have thought that indiscriminate acceptance of javascript to be a greater security threat"

      No, you're not out of date, just better informed. Javascript is still the primary vector for automated attacks via web browsers and also quite significant for attacks via PDF files. It's idiotic to run unverified code from untrusted sources (particularly when done blindly) but unfortunately the current population of web devs are either clueless or uncaring about our security, so they force it on us. And the hazard is growing. I have stopped in dispair counting the static web pages that rely entirely on scripting to render. The ironic classic is the UK government's National Cyber Security Centre web site, which is entirely a javascript app. You can't even see the emergency contact phone number with scripts disabled.

  12. that one in the corner Silver badge

    EY did not define ranges for the four generations included in the report.

    Great, so we're going to get people referring to Wikipedia and its idiotic suggestion that the Baby Boom lasted until The Pill became commonplace?

    1. ThatOne Silver badge
      Unhappy

      Re: EY did not define ranges for the four generations included in the report.

      > ranges for the four generations included in the report

      It would be too quaint and uncool to call them by the actual years. Giving them fancy and slightly obscure names turns them into very distinct tribes, and thus reinforces the "us vs.them" feeling of each generation.

      Age, sex (or lack thereof), color, religion/politics, we have so many things we can segregate by... :-(

      1. Michael Wojcik Silver badge

        Re: EY did not define ranges for the four generations included in the report.

        And the generational-cohort terms were invented initially to describe economic trends in the US (the "Baby Boom", aka "Boomer", cohort was initially important because of its effects on things like school-system capacity), and then later to describe certain mainstream cultural trends, again in the US.1

        Using those terms outside those contexts is already suspect, and far more suspect when used for people outside US mainstream culture.

        It's pop-sociology bullshit, a pseudoscientific excuse to generalize with no real empirical basis.

        1Most of the generational-cohort terms were coined by Howe & Strauss in 13th Gen, which was very much pop sociology and not any sort of attempt to be rigorous demographic or economic analysis. And I suspect the vast majority of people who like to throw around terms like "Boomer" and "Millennial" have never read 13th Gen (which is a pity, because it's pretty interesting if you don't take it as rigorous). Meanwhile, "Generation X" was coined by Copeland for a story collection, and he intended it to describe a considerably smaller group than what "Gen X" is now usually applied to. And H&S's "13er" was a better term anyway.

      2. John Brown (no body) Silver badge

        Re: EY did not define ranges for the four generations included in the report.

        "It would be too quaint and uncool to call them by the actual years. Giving them fancy and slightly obscure names turns them into very distinct tribes, and thus reinforces the "us vs.them" feeling of each generation."

        It seems to be primarily a US thing IME. Nothing must be known by it's proper name, everything must have a "cool sounding" new name. Now don't get wrong, the Yanks are great at coming up with new words and especially acronyms for projects and such, But PLEASE stop doing it to things that already have names. it just confuses everyone. But those "nicknames" do seem to catch on very very quickly across the US. It's like some sort of forced hothouse evolution of language. A recent one I've come across is the pronunciation of cache, as in a cache of treasure. Suddenly it's being pronounced "cachet" on all the US TV programmes (that use the word, ie not all of them, obviously). Seems to have started a year or two back, but pretty much every treasure hunting documentary seems to have switched now. Possibly, they are trying to sound sophisticated and have learned that cache is a French word so are trying to be too clever and think it's pronounced caché :-)

        1. jake Silver badge

          Re: EY did not define ranges for the four generations included in the report.

          "pretty much every treasure hunting documentary"

          Consider the source. It's not like the producers, actors, script-writers and intended targets are the sharpest tools in the shed.

          For the record, I've only heard it called "cache" by the vast majority of the population (the Jr. High set has just discovered geo caching ... ).

        2. that one in the corner Silver badge

          Re: EY did not define ranges for the four generations included in the report.

          > trying to be too clever

          by also (mis)using words - "very odd" is boring, "very unique" has a q in it, so much intellectual, very dictionary.

  13. Anonymous Coward
    Anonymous Coward

    Bad at analytics too

    Are the people working at EY a good representation of general workforce skills?

  14. Joe W Silver badge

    Being confident...

    "only 41 percent of EY's respondents said they were confident they could identify a phishing attempt, and only 38 percent were confident they could avoid ransomware."

    Sure. I'm.... more or less confident. I could craft a website that would fool me, and I guess many others. Do phishers go that length? For "spearphishing" I guess. Am I confident I would spot that? Not really. If they want to get me they will get me. I would get me. Same with ransomware. I don't browse questionable websites, I do not download questionable files and run them, I keep my system more or less up to date. If there's a zero day exploit out there that is wormable they will get me. Boom. That's it.

    So, no, I am not confident I can avoid it. I am confident that I do the most basic things to avoid phishing and ransomware and the resulting mayhem. This makes me a more difficult target than others. Like locking your bike. The lock has to be better than that of the other bikes, and the bike has to be less shiny than the others. Saint Florian principle ("Heiliger St Florian, beschütz mein Haus zünd and're an!" Holy St Florian, protect my house, burn others) applied to security. Sorry.

    1. Michael Wojcik Silver badge

      Re: Being confident...

      Indeed, there have been studies which show (for some value of "show") that IT workers are more likely to fall for certain classes of attacks because they're more likely to overrate their own security skills and practices.

      Confidence in your own vigilance is not a good sign.

      Cory Doctorow's story of how he got phished is a useful example of how security awareness only goes so far, and perfect vigilance is impossible. Humans aren't great at vigilance, and the systems we use aren't great at proving their authenticity.

  15. Anonymous Coward
    Anonymous Coward

    I blame the kids

    As a boomer, I couldn’t wait to retire.

    I got sick of working with “kids” (people under 50).

    Grrrrr

  16. AlexV

    Cookies are not a security risk

    There is no security risk in accepting cookies. You may prefer to be anonymous and not to receive personalised advertising, and if you care about privacy at all you probably don't want advertising companies knowing which sites you visit. But it's not a security risk.

    1. Will Godfrey Silver badge
      Facepalm

      Re: Cookies are not a security risk

      Wrong!

      Any information you give away is a potential security risk, and much more so when you don't know just what information they got.

      Two pieces of information commonly sent are your browser and OS.

      Oh, and there's the time and possibly your location.

      1. tiggity Silver badge

        Re: Cookies are not a security risk

        Plus some sites have in the past used the bad habit of storing various credential tokens, session ids etc in cookies - in cases where creds have a reasonable lifetime then malicious attack could use creds info in cookie to impersonate you on the relevant website and exploit away.

        This type of bad practice is (hopefully) on the wane, but in general web devs far too often store a lot of data in cookies that they shouldn't as security seems way down priority list compared to churning out zillions of lines of JS code for what could easily be done as a static site

        1. doublelayer Silver badge

          Re: Cookies are not a security risk

          "Plus some sites have in the past used the bad habit of storing various credential tokens, session ids etc in cookies - in cases where creds have a reasonable lifetime then malicious attack could use creds info in cookie to impersonate you on the relevant website and exploit away."

          That is bad, but unrelated to storing the cookie. If you don't store the cookie, then you will be asked to log in next time because you won't present the cred, but the site would still accept it if you did. If you have malware watching the connection, either resident on your device or intercepting the traffic, then whether or not you save that data, the malware can get a copy and use it. That's a problem with the site and setting the option to immediately delete cookies will not fix it.

      2. Ken Hagan Gold badge

        Re: Cookies are not a security risk

        You write potential.

        I read possible future.

        Not trying to be blasé, but I think it is worth distinguishing between things that are a risk already and things that might lead to a risk in future.

      3. Michael Wojcik Silver badge

        Re: Cookies are not a security risk

        Any information you give away is a potential security risk

        Or more formally, for any action which leaks information from the system under consideration, there's a threat model under which that action increases risk.

        Claiming that something "isn't a security risk" without specifying the threat model means that either you (i.e. the original poster) is not interested in being rigorous, or doesn't know much about security. In either case we can probably ignore that claim and its supporting argument.

      4. doublelayer Silver badge

        Re: Cookies are not a security risk

        "Two pieces of information commonly sent are your browser and OS. Oh, and there's the time and possibly your location."

        These are not in cookies. Browser and OS are in the user agent header. If you set your browser to delete all cookies, it will not change that header. Time is known by the server because it's processing your request and it has a clock on it. Location is from your IP address, so if you're directly connecting to the server, they can use that to take a guess. None of that data will be protected if you disable cookies. The only thing it does is to hopefully make it harder to fingerprint you if your location changes.

        There are still privacy risks, and privacy of a company's information can be of security importance, but it's useful to know what cookies do and what they don't.

        1. Will Godfrey Silver badge
          Happy

          Re: Cookies are not a security risk

          I stand (or rather sit) corrected.

          Don't you dare do that again or I'll be forced to throw an immature (roll around on the floor) tantram.

  17. jake Silver badge

    As a consultant ...

    ... These numbers seem to be a trifle conservative.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like